Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1yNTZ4LWo0Mzgtdnc1bc4AA7UI
vyper performs double eval of the slice start/length args in certain cases
Summary
Using the slice builtin can result in a double eval vulnerability when the buffer argument is either msg.data, self.code or <address>.code and either the start or length arguments have side-effects.
A contract search was performed and no vulnerable contracts were found in production. Having side-effects in the start and length patterns is also an unusual pattern which is not that likely to show up in user code. It is also much harder (but not impossible!) to trigger the bug since 0.3.4 since the unique symbol fence was introduced (https://github.com/vyperlang/vyper/pull/2914).
Details
It can be seen that the _build_adhoc_slice_node function of the slice builtin doesn't cache the mentioned arguments to the stack: https://github.com/vyperlang/vyper/blob/4595938734d9988f8e46e8df38049ae0559abedb/vyper/builtins/functions.py#L244
As such, they can be evaluated multiple times (instead of retrieving the value from the stack).
PoC
with Vyper version 0.3.3+commit.48e326f the call to foo passes the asserts:
l: DynArray[uint256, 10]
@external
def foo(cs: String[64]) -> uint256:
for i in range(10):
self.l.append(1)
assert len(self.l) == 10
s: Bytes[64] = b""
s = slice(msg.data, self.l.pop(), 3)
assert len(self.l) == 10 - 2
return len(self.l)
Patches
Patched in https://github.com/vyperlang/vyper/pull/3976.
Impact
No vulnerable production contracts were found.
Permalink: https://github.com/advisories/GHSA-r56x-j438-vw5mJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1yNTZ4LWo0Mzgtdnc1bc4AA7UI
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 9 months ago
Updated: 7 months ago
CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
EPSS Percentage: 0.00046
EPSS Percentile: 0.18938
Identifiers: GHSA-r56x-j438-vw5m, CVE-2024-32646
References:
- https://github.com/vyperlang/vyper/security/advisories/GHSA-r56x-j438-vw5m
- https://nvd.nist.gov/vuln/detail/CVE-2024-32646
- https://github.com/vyperlang/vyper/pull/2914
- https://github.com/advisories/GHSA-r56x-j438-vw5m
Blast Radius: 12.6
Affected Packages
pypi:vyper
Dependent packages: 5Dependent repositories: 236
Downloads: 90,482 last month
Affected Version Ranges: < 0.4.0
Fixed in: 0.4.0
All affected versions: 0.2.1, 0.2.2, 0.2.3, 0.2.4, 0.2.5, 0.2.6, 0.2.7, 0.2.8, 0.2.9, 0.2.10, 0.2.11, 0.2.12, 0.2.13, 0.2.14, 0.2.15, 0.2.16, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.3.6, 0.3.7, 0.3.8, 0.3.9, 0.3.10
All unaffected versions: 0.4.0